An LLMNR poisoning attack is a technique that lets attackers intercept sensitive information like user credentials. This attack works by exploiting a feature in Windows called Link-Local Multicast Name Resolution, or LLMNR. When a Windows system can’t find a hostname through its usual DNS server, it broadcasts an LLMNR query to the entire local network, essentially asking, “Hey, who knows where this server is?”

This is where a tool like Responder comes in. Responder is a program that listens for these LLMNR requests. It’s a “poisoner” because it’s designed to respond to the query before the legitimate host can. By sending a spoofed response, Responder tricks the victim machine into thinking the attacker’s computer is the requested resource.

Once the victim machine is fooled, the attack unfolds in a couple of ways. The most common is credential theft. Believing it’s connecting to the real resource, the victim’s computer sends its authentication credentials—often in the form of a hashed username and password—directly to the attacker. In addition, the attacker can use Responder to perform general information gathering, learning details like the IP addresses and operating systems of other devices on the network.